30 September 2015

China-US Cyber Agreements: Has Beijing Outmaneuvered Washington?

The United States has been focusing much of its cyber diplomacy around criticism of China’s espionage. This U.S. policy effort might be called the “Fort Meade defense,” after the site of NSA headquarters in Maryland. These criticisms peaked this month with U.S. threats to impose sanctions for civil sector commercial espionage committed by China using cyber assets.

In his visit to the United States last week, President Xi Jinping of China brilliantly outmaneuvered the United States in the Fort Meade defense by declaring, with all of the diplomatic and international legal authority that a head of state wields, that his government did not collect “commercial intelligence.” After those comments, any conversation with Obama about stopping such practices was bound to be surreal and unproductive.

“Commercial intelligence” is defined by the White House as intelligence collected “with the intent of providing competitive advantages to companies or commercial sectors.” This differs from economic espionage, which most states undertake to protect and advance national economic interests.

It is declared U.S. policy to undertake economic espionage, especially when it relates to the science and technology (S&T) capabilities of other countries. Thus, when the Washington Post reported that Xi agreed during his meeting with Obama that China would agree to abide by the norm against “economic cyber spying,” it used a clearly incorrect term. China has agreed no such thing.

Moreover, there is no international legal norm of any kind against cyber espionage if the act is confined to merely collecting of information.

In the case of the United States, the purpose of S&T intelligence (which includes obtaining the design secrets of foreign governments and companies) is to “to provide a comprehensive picture of global scientific and technological advancements.” This is laid out in the 2013 Report of the National Commission for the Review of the Research and Development Programs of the United States Intelligence Community, Unclassified Version. This report on U.S. S&T intelligence (S&TI) called out the high priority to be attached to this: “Failure to properly resource and use our own R&D to appraise, exploit, and counter the scientific and technical developments of our adversaries—including both state and non-state actors—may have more immediate and catastrophic consequences than failure in any other field of intelligence.”

The report opens with the statement that “[t]he global spread of scientific and technical knowledge challenges U.S. national security.” The United States officially acknowledges that it pursues S&TI to “counter” the scientific advances of other countries. Since the main S&T research efforts are in private hands in the United States, then it is inevitable that the government would have to pass S&T intelligence to them so that they could counter the foreign advances.

Thus for the United States as for China, any agreement on stopping commercial espionage is only about the end-user of the intelligence. The mere act of collecting intelligence cannot in itself be definitive, even though both presidents referred constantly to the act of collection.

For an in-depth analysis of this, including skeptical views, we have more than a few sources. Among the critics, we can cite a former British SIS officer (Nigel Inkster, now at IISS) and two leading U.S.-based scholars (Tai Ming Cheung and Jon Lindsay), who have papers published in the 2015 book, China and Cyber Security (OUP). I had made an analysis of similar length prior to the release of the book, based in part on research for my own book, Cyber Policy in China (Polity 2014) and previous experience as an intelligence analyst for 15 years. This argument about the weakness of the U.S. claim has received wide international coverage in the Boston Globe,Handelsblatt (Germany), The Jakarta Post, Huffington Post, several other prominent online magazines, not to mention the prestigious journal from MIT, International Security. Mainstream journalists and most political commentators in the United States continue to ignore such analyses.

For more than a decade, the National Counter Intelligence Executive of the United States has consistently charged China or its entities with being one of the main perpetrators of cyber-enabled commercial espionage against it. This is undoubtedly true. In March 2013, the United States made unprecedented public demands on China when National Security Adviser, Thomas Donilon declared that that Beijing “should take serious steps to investigate and put a stop to … sophisticated, targeted theft of confidential business information and proprietary technologies through cyber intrusions emanating from China on an unprecedented scale.” The demands capped an escalating rhetorical campaign from senior administration figures over the previous two years that this cyber espionage by China represented “the greatest transfer of wealth in human history.”

Some two and a half years later, after even more public demands and a renewed threat of sanctions from Obama himself, Xi undercut the U.S. arguments on his arrival by adding his own standing to long-repeated assertions from his government that China does not collect commercial intelligence (that is, to give it to civil sector companies). He further advanced on the moral high ground by agreeing with his counterpart that the two countries would cooperate on cyber crime (including commercial espionage), set up an associated hotline and new high level working group, and jointly pledge not to attack each other’s critical infrastructure in cyber space. Russia and China signed such a similar agreement on infrastructure (“information resources”) earlier this year.

The U.S. diplomatic focus on commercial espionage has been undermined by critical evaluations of the impact of the supposed economic impacts on U.S. competitiveness that are mentioned above.

The U.S. policy focus on China’s cyber espionage has also been undermined by the administration’s failure to draw sensible connections between its inflammatory rhetoric on cyber espionage and its more measured efforts to curb intellectual property theft in general, laid out extensively and convincingly in a 2013 White House strategy document, “Administration Strategy on Mitigating the Theft of U.S. Trade Secrets.”

In fact, the web of international agreements already obliging China to punish the conversion of trade secrets obtained by any means to the commercial benefit of its corporations is already massive, not least under the WTO. The challenge has been to enforce compliance, as documented in the latest U.S. report on China’s compliance with WTO obligations (December 2014), including IPR protection. Xi’s commitment last week to prevent conversion of trade secret theft to the commercial advantage of Chinese companies, in so far as it relates to intellectual property, is one that China first made almost two decades ago.

The moves by China during Xi’s visit have created a mountain of commentary, quite rightly dissecting definitions, legalisms, and issues of verification. In fact, through confusion over terminology, and its complexity in a mixed economy like China’s (with state-owned companies in key sectors), the joint agreement by China and the United States may have created more diplomatic minefields than it sought to eliminate. We will have to see whether there is an authoritative text in writing agreed by both sides that can withstand inevitable and early controversies.

Yet in spite of major weaknesses in what these commitments might actually represent, Xi’s statements and commitments have elevated the cyber espionage issue to new heights of normative behavior in the bilateral relationship.

What lesson should U.S. diplomatic play-makers take from this? They can rightly applaud the new level of commitment by both China and the United States to behave responsibly in cyberspace. They can continue to promote vigilance by corporations in protecting their commercial secrets from cyber espionage and other forms of theft. But they also have to smell the salts and wake up.

The people playing the Fort Meade defense appear to have lost, or at least gained nothing from Xi’s visit. But it may be wrong to see cyber diplomacy between the two countries as something akin to a football game (or a military battle), in which one side has to lose. Cyber diplomacy really is more of a dance than battle. In dancing, all partners are supposed to gain pleasure, however discomfited either may be with the missteps of the other.

With this dance metaphor in mind, we could choose to see the biggest cyber event in Xi’s visit to the United States as the diplomatic tango (restrained, tense, and impassioned) between the two heads of state over commercial espionage. But it was not. The most exciting event was the hoedown in Seattle, where representatives of the world’s leading high technology firms, 30 American and Chinese business leaders, met the Chinese president in private. The group included Chinese billionaire, Jack Ma, who now lives in California rather than his native China where he made his money.

This is not only the past and the future of the bilateral cyber relationship, it also constitutes the absolutely overwhelming weight of the technology transfer relationship between the two countries. It is a private sector affair in which the governments have to struggle to assert their policy interests.

This is evidenced from an unlikely source. The most substantial scholarly effort to address the scale of China’s exploitation of U.S. technology is probably a 2013 study, titled Chinese Industrial Espionage. Seven of its ten chapters address what are largely lawful methods of technology transfer, such as use of open sources, student exchange programs, joint ventures, and licensing. This book allows us to conclude that Cyber espionage is an important event that we all need to watch but it is not as important as the dance of economic competitiveness, which is something that takes place with a very different set of atmospherics, moves, and end points.

This is why Seattle (and the West coast) will remain in the box seat, rather than Fort Meade (and the East coast), when it comes to U.S.-China cyber diplomacy.